SSL Bump issues

SSL Bump issues

Hello all,

Brief version:
Can't get ssl_bump working to get an old XP system's schannel.dll (i.e. built-in SSL) talking to a TLS 1.2 server, but works with Firefox (which has it's own SSL stack).

Long version:
This afternoon's task was to try and solve the issue of an old internal legacy XP system (and thus stuck on TLS 1.0) that can't be upgraded, but needs to be able to speak to servers running TLS 1.2. I've tried several approaches, but using squid with ssl_bump seemed to be the most appropriate solution, but for the life of me, I've not been able to get it to work properly, so was hoping for a few pointers.

The software that needs to run uses the built-in schannel dll, but it can have a proxy specified, so things don't have to be transparent, ...but it does get stuck with all the limitations of the ancient schannel dll. Does however mean I can use the system's IE for testing.

First up, I'm running Debian on my squid server. That means the distro packages don't have ssl support compiled in, so I had to compile my own packages. The version is 3.5.23, and the relevant configure output is:

I have a test site I'm using that I can fiddle with the ciphers on, and I can access it fine from the legacy system directly when I enable the old stuff (TLS 1.0, etc), but even then it seems to be squid's encryption (or maybe, decryption from the client?) that isn't working as it still won't connect regardless of what I try.

Even if I throw in an explicit list of ciphers, copied from the target server (incidentally, the same host as squid, if that's relevant), still nada.

Interestingly, ssl_bump seems to work perfectly fine from Firefox from the same machine, even when crippled down to TLS 1.0 only with the server set to restrict to TLS 1.2. So it seems to be doing what I want, just not for schannel.dll? I'm suspecting that openssl as used by squid can't speak any ciphers that schannel can, so it seems the issue isn't actually between squid and the target server, but between squid and the old client...

> Hello all,
>
> Brief version:
> Can't get ssl_bump working to get an old XP system's schannel.dll (i.e.
> built-in SSL) talking to a TLS 1.2 server, but works with Firefox (which has
> it's own SSL stack).
>
> Long version:
> This afternoon's task was to try and solve the issue of an old internal
> legacy XP system (and thus stuck on TLS 1.0) that can't be upgraded, but
> needs to be able to speak to servers running TLS 1.2. I've tried several
> approaches, but using squid with ssl_bump seemed to be the most appropriate
> solution, but for the life of me, I've not been able to get it to work
> properly, so was hoping for a few pointers.
>
> The software that needs to run uses the built-in schannel dll, but it can
> have a proxy specified, so things don't have to be transparent, ...but it
> does get stuck with all the limitations of the ancient schannel dll. Does
> however mean I can use the system's IE for testing.
>
> First up, I'm running Debian on my squid server. That means the distro
> packages don't have ssl support compiled in, so I had to compile my own
> packages. The version is 3.5.23, and the relevant configure output is:
>
>
>
> I had to compile against the older version of openssl due to the changes in
> their locking API, so I installed
> https://packages.debian.org/stretch/libssl1.0-dev, which enabled me to
> compile successfully.
>
> I've looked at countless examples, i.e.
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit>
> ...but the only way I've got any successful SSL proxying is with:
>
>
> ...but as expected, that's clearly not doing any bumping from the logs:
>
>
>
> When I put anything more in, i.e.
>
>
> Then it turns on the mode:
>
>
> ...but then I just get errors about no ciphers:
>
>
> I have a test site I'm using that I can fiddle with the ciphers on, and I
> can access it fine from the legacy system directly when I enable the old
> stuff (TLS 1.0, etc), but even then it seems to be squid's encryption (or
> maybe, decryption from the client?) that isn't working as it still won't
> connect regardless of what I try.
>
> Even if I throw in an explicit list of ciphers, copied from the target
> server (incidentally, the same host as squid, if that's relevant), still
> nada.
>
> Interestingly, ssl_bump seems to work perfectly fine from Firefox from the
> same machine, even when crippled down to TLS 1.0 only with the server set to
> restrict to TLS 1.2. So it seems to be doing what I want, just not for
> schannel.dll? I'm suspecting that openssl as used by squid can't speak any
> ciphers that schannel can, so it seems the issue isn't actually between
> squid and the target server, but between squid and the old client...
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-issues-tp4681843.html> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> [hidden email]> http://lists.squid-cache.org/listinfo/squid-users>

Re: SSL Bump issues

> ...but the only way I've got any successful SSL proxying is with:
>
>
> ...but as expected, that's clearly not doing any bumping from the logs:
>
>
>
> When I put anything more in, i.e.
>
>
> Then it turns on the mode:
>
>
> ...but then I just get errors about no ciphers:
>

Please note that your configuration and other details in the post did
not get through to the mailing list (probably due to some fancy quoting
provided by Nabble that does not get through to the actual squid-users
mailing list).